VIEWS: 50 PAGES: 18 CATEGORY: Software POSTED ON: 10/9/2011
WebSphere is IBM's software platform. It includes the preparation, operation and monitoring of weather on demand for industrial-strength Web applications and cross-platform, cross-product solutions needed to the middleware infrastructure, such as servers, services and tools. WebSphere provides reliable, flexible and robust software.
professional expertise distilled P U B L I S H I N G IBM WebSphere Application Server v7.0 Security Omar Siliceo Chapter No.1 "A Threefold View of WebSphere Application Server Security" In this package, you will find: A Biography of the author of the book A preview chapter from the book, Chapter NO.1 "A Threefold View of WebSphere Application Server Security" A synopsis of the book’s content Information on where to buy this book About the Author Omar Siliceo, a professional Systems Engineer with a Master of Science degree in Electrical Engineering, started his IT career in the year 1991 as a Research Specialist, performing the roles of systems specialist, Internet and Unix systems administrator, and Internet systems consultant, when he was invited to join the Computer Center group at Vanderbilt University. In 1994, he joined the information technology team as a consultant, performing systems integration at the King Faisal Specialist Hospital and Research Centre in Saudi Arabia. After returning to the United States of America in 1997, he launched his IT consulting practice, creating partnerships with companies such as CTG and Ajilon. During the period from 1997-2004 he spent most of it (19972002) working with IBM in finding e-commerce solutions for customers such as Macy's, the NBA Store and Blair, and event Cybercast Infrastructure Administration for customers such as The Wimbledon Championships and The Masters Golf Tournament. It was during this period that he became exposed to early WebSphere technologies, including but not limited to WebSphere Application Server, WebSphere Commerce Suite, WebSphere Portal, and WebSphere Everyplace Suite. In his last year with IBM, he focused on providing design, programming consultation, and problem solving to Fortune 500 software vendors and software integrators who were For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book IBM's business partners. Between 2002 and 2004, he served as a consultant to The World Bank Group and Blue Cross Blue Shield of Florida. His role was the administration of WebSphere environments including some special projects such as the rollout of the latest version of their WebSphere environments. In 2004, he interrupted his consulting practice when he was invited to join the IT engineering team at Cummins, Inc. He served as Senior Web Technologies Engineer and later on as the Web Deployment team manager. As Senior Engineer, he architected the infrastructure environment for WebSphere 5.1, defining standards for platform creation, WAS deployment, and integration with existing enterprise technologies and services. In 2008, he resumed his consulting practice, supporting WebSphere Application Server, WebSphere Portal, and WebSphere Edge Components efforts and initiatives with Bank of America (2008), Blue Cross Blue Shield of Florida (2008 2009), and The World Bank Group, where he is currently Senior WebSphere Suite consultant. First and foremost, I would like to thank the Lord for providing this unique, challenging, and rewarding opportunity as well as the resources to complete this fun project. Secondly, I would also like to thank my wife, Melissa, for her love, support, and encouragement throughout this undertaking. In addition, I wish to extend my gratitude to my sons, Tano and Chago, for allowing me to give up time that otherwise I would have spent with them. Furthermore, I would like to express my appreciation to Packt for having reached out to me to propose this project. In particular, I thank my editorial team and their management for all the support provided in order to make this project a reality. I also would like to thank the technical team of experts who painstakingly reviewed each of the chapters for their corrections, observations, and most welcomed suggestions to improve the quality of this work. Finally, I want to thank the folks at The World Bank Group, in particular Srini, Balaji, Suresh, and Ajay, for their encouragement during this project. I think they promised to buy a copy each. For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book IBM WebSphere Application Server v7.0 Security IBM WebSphere Application Server Network Deployment is IBM's ﬂ agship J2EE application server platform. It implements the J2EE technology stack. This stack enables the WebSphere Application Server platform to execute the user's Java enterprise applications that perform business functions. There are several roles who use this platform such as architects, developers, and administrators, to mention a few. Within the administrator role, in turn, there are several functions such as installation, performance, security, and so on. This book starts with an in-depth analysis of the global and administrative security features of WebSphere Application Server v7.0, followed by comprehensive coverage of user registries for user authentication and authorization information. Moving on you will build on the concepts introduced and get hands-on with a mini project. In the next chapter, you work with the different front-end architectures of WAS along with the Secure Socket Layer protocol, which offer transport layer security through data encryption. You can learn user authentication and data encryption, which demonstrate how a clear text channel can be made safer, by using SSL transport to encrypt its data. This book will show you how to enable an enterprise application hosted in a WebSphere Application Server environment to interact with other applications, resources, and services available in a corporate infrastructure. Platform hardening, tuning parameters for tightening security, and troubleshooting are some of the aspects of WebSphere Application Server v7.0 security that are explored in the book. Every chapter builds strong security foundations, by demonstrating concepts and practicing them through the use of dynamic, web-based mini projects. What This Book Covers Chapter 1, A Threefold View of WebSphere Application Server Security, uses a novel approach to compare ways in which WebSphere security elements are perceived, usually according to the role of the individual working with the technology. These ways or views help you understand the foundations of WebSphere security, providing multiple angles from where to analyze this set of technologies and communicate in their language with different functional teams within your organization. Chapter 2, Securing the Administrative Interface, walks you through the necessary steps to secure access to the WebSphere graphical interface, known as the ISC (Integrated Solutions Console). As a prerequisite to securing the ISC, you must first enable the WebSphere Application Server platform security, known as global security. During these For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book processes, the chapter succinctly describes relevant security topics (for example, user registries) and highlights what parameters are required in order to perform each step. Chapter 3, Configuring User Authentication and Access, provides concise technical background on the security topics related to setting up user authentication (validation of presented user credentials) and user access—determining if an authenticated user has rights to access to the requests made. The chapter describes some important concepts such as WebSphere Security Domains (a new feature in version 7 of WAS), user registries (reviewed in more depth), as well as a review of popular user registries available to be used in a WebSphere environment. The chapter ends by binding all these concepts using a mini project that walks you through protecting application servers. Chapter 4, Front-End Communication Security, describes and compares popular infrastructure architectures used to design front-end of a WebSphere environment. The chapter goes on explaining a major security used to secure communication channels, SSL, and describes several related aspects such as SSL certificates and CA (certificate authority). At the end, the chapter walks you through the process, in the way of a mini project, used to secure the front-end of a WebSphere environment from the HTTP server (IHS) to the actual Application Server. Chapter 5, Securing Web Applications, briefly introduces concepts related to securing Java Web Applications (or more succinctly Web Applications). The chapter then uses an in-depth mini project where you will be walked through in the various stages to design, code, package, deploy, and configure a simple Web Application that offers access to employees of a fictional corporation. Each type of employee will have access only to sections of the Web Application. Therefore, you will configure WebSphere in order to implement this secure functionality. Chapter 6, Securing Enterprise Java Beans Applications, introduces concepts related to Enterprise Java Beans (EJB) technologies such as declarative and programmatic security. The chapter then uses the mini-project approach to walk you through the stages needed to design, code, package, deploy, and configure a simple EJB application. The mini-project in this chapter reuses modules from the previous chapter to implement a very simple portal application that will offer a better user experience to the employees of our fictional corporation. Chapter 7, Securing Back-end Communication, focuses on two major concepts: authentication and data encryption. Authentication is reviewed from the point of view of trust between two infrastructure components, for example, WebSphere and a back-end database. The chapter expands on the major topics by providing in detail two examples of their use. It explores how encryption is used in the communication between WebSphere and a popular type of user registry, LDAP. The chapter also examines the use of authentication during the exchanges between WebSphere and databases using the JDBC protocol. For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book Chapter 8, Secure Enterprise Infrastructure Architectures, describes areas that will enable an enterprise application hosted in a WebSphere environment interact with possibly other applications, resources, and services available in a corporation infrastructure. It covers central concepts such as LTPA and SSO. The chapter ends by showing you how to ﬁ ne-tune authorization at the HTTP Server level as well as at the WebSphere level. Chapter 9, WebSphere Default Installation Hardening, deals with engineering the default WebSphere installation by changing its default parameters in order to harden the product's security side and customizing the ﬁ les that hold the WebSphere environment security certificates and signers. The chapter focuses on two major aspects. While it points out what characteristics in the OS to review and modify, on the other hand, it discusses securing ﬁ les related to certificates—key and trust stores—and ﬁ les that hold passwords. Chapter 10, Platform Hardening, looks at aspects of the platform where WebSphere is hosted that can be modified to increase the environment security. The chapter breaks down the OS into areas relevant to the WebSphere platform: generic operating system characteristics (for example, user accounts), file system features (for example, ﬁ le permissions), and network system configuration. Chapter 11, Security Tuning and Troubleshooting, overviews three major areas that can be improved by tuning key parameters as well as a couple of troubleshooting areas. The tuning section overviews general security, CSIv2 connectivity, and user directories and user permissions. Finally, the troubleshooting section reviews general security configuration exceptions and run time security exceptions. For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book A Threefold View of WebSphere Application Server Security Imagine yourself at an athletic event. Hey! No, no-you are at the right place. Yes, this is a technical book. Just bear with me for a minute. Well, now that the little misunderstanding is out of the way let's go back to the beginning. The home crowd is really excited about the performance of its team. However, that superb performance has not been yet reﬂected on the scoreboard. When ﬁnally that performance pays off with the long-waited score, 'it' happens! The score gets called off. It is not at all unlikely that a controversial call would be made, or worse yet, not made! Or so we think. There is a group of players and fans of the team that just scored that 'see' the play as a masterpiece of athletic execution. Then there is another group, that of players and coaches of the visiting team who clearly see a violation to the rules just before the score. And there is a third group, the referees. Well, who knows what they see! The fact is that for the same action, there may be several perceptions of the same set of events. Albert Einstein and other scientists provided a great example of multi-perception with the wave-particle duality concept. In a similar fashion, a WebSphere based environment could be analyzed in a number of forms. None of the forms or views is absolutely correct or incorrect. Each view, however, helps to focus on the appropriate set of components and their relationships for a given situation or need. For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book A Threefold View of WebSphere Application Server Security WebSphere Application Server technology is a long and complex subject. This chapter provides three WAS ND environment views, emphasizing security, which will help the reader connect individual security tasks to the big picture. One view aids the WebSphere administrator to relate isolated security tasks to the overall middleware infrastructure (for example, messaging systems, directory services, and back-end databases to name a few). This is useful in possible interactions with teams responsible for such technologies. On the other hand, a second view helps the administrator to link speciﬁc security conﬁguration tasks to a particular Enterprise Application (for example, EJB applications, Service Integration Bus, and many more) set of components. This view will help the administrator to relate to possible development team needs. The chapter also includes a third view, one that focuses on the J2EE technology stack as it relates to security. This view could help blend the former two views. So, in a nutshell, the three major parts that make up this ﬁrst chapter are: The Enterprise Application Server infrastructure architecture view The WebSphere Application Server architecture view The WebSphere technology stack view Enterprise Application-server infrastructure architecture view This chapter starts with the Application Server infrastructure architecture view. The actual order of each of these major chapter sub-sections is really unimportant. However, since it needs to be a beginning, the infrastructure architecture view is thus selected. A possibly more formal name for what it is desired to convey in this section would be the Enterprise J2EE Application server infrastructure architecture. In this way, the scope of technologies that make up the application-centric architecture is well deﬁned as that pertaining to J2EE applications. Nevertheless, this type of architecture is not exclusive to a WebSphere Application Server Network Deployment environment. Well, it's not in a way. If the architecture does not mention speciﬁc implementations of a function, it is a generic view of the architecture. On the other hand, if the architecture view deﬁnes or includes speciﬁc branded technologies of a function (for example, IHS for a web server function), then it is a specialized architecture. The point is that other J2EE application server products not related to the WebSphere umbrella may use the same generic type of infrastructure architecture.  For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book Chapter 1 Therefore, this view has to do with J2EE application servers and the enterprise infrastructure components needed to sustain such application servers in a way that they can host a variety of enterprise applications (also known as J2EE applications). The following diagram provides an example of a basic WebSphere Application Server infrastructure architecture topology: The use of multiple user registries is new in version 7.0 Simple infrastructure architecture characteristics The architecture is basic since it only shows the minimum infrastructure components needed by a WebSphere Application Server infrastructure to become functional. In this diagram, the infrastructure elements are presented as they relate to each other functionally. In other words, the diagram is generic enough that it only shows and identiﬁes the components by their main function. For instance, the infrastructure diagram includes, among others, proxy and messaging servers. Nothing in the diagram implies the mapping of a given functional component to a speciﬁc physical element such as an OS server or a specialized appliance.  For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book A Threefold View of WebSphere Application Server Security Branded infrastructure elements The infrastructure architecture presented in the diagram depicts a WebSphere clustered environment. The only technologies identiﬁed by their brand are the IBM HTTP Server (IHS) web server component (represented by the two rectangles (light blue) labeled IHS) and the WebSphere Application Server (WAS) nodes (represented by the rectangles (green) labeled WAS). These two simple components offer a variety of architectural choices, such as: Hosting both components in a single OS host under a WAS node Host each component in their own OS host in the same sub-network (normally an intranet) Host each component in different OS hosts in different sub-network (normally a DMZ for the IHS and intranet for the WAS) The choice for a speciﬁc architecture will be made in terms of a variety of requirements for your environment, including security requirements. Generic infrastructure components The infrastructure diagram also includes a number of components that are only identiﬁed by their function but no information is provided as to the speciﬁc technology/product implementing the function. For instance, there are four shapes (light yellow) labeled DB, Messaging, Legacy Systems, and Service Providers. In your environment, there may be choices to make in terms of the speciﬁc component. Take for instance, the DB component. Identifying what DB server or servers will be part of the architecture is dependent on the type of database employed by the enterprise application being hosted. Some corporations limit the number of database types to less than a handful. Nevertheless, the objective of the WebSphere Administrator responsible for the environment is to identify which type of databases will be interfacing with the WAS environment. Once that fact is determined, the appropriate brand/product could be added to the architecture diagram. Other technologies/components that need to be identiﬁed in a similar way are the user registry (represented by the shape (light purple) labeled User Registry), the security access component (represented in the diagram by the oval (yellow) labeled Security Access). A common type of user registry used in WebSphere environments is an LDAP server. Furthermore, a popular security access product is SiteMinder (formerly by Netegrity, now offered by CA). [ 10 ] For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book Chapter 1 The remaining group of elements in the architecture has the function to front-end the IHS/WAS environment in order to provide high availability and added security. Proxy servers may be used or not, depending on whether the IHS function can be brought to the DMZ in its own OS host. Specialized appliances offered by companies such as CISCO or F5 normally implement load balancers. However, some software products can be used to implement this function. An example to the latter is the IBM WebSphere Edge suite. In general, most corporations already own and use ﬁrewalls and load balancers; so for the WebSphere administrator, it is just a matter of integrating them to the WebSphere infrastructure. Using the infrastructure architecture view Some of the beneﬁts of picturing your WebSphere environment using the infrastructure architecture view come from realizing the following important points: Identify the technology or technology choices to be used to implement a speciﬁc function. For instance, what type of user registry to use. An immediate result of the previous point is identifying the corporate group the WebSphere administrator would be working with in order to integrate (that is, conﬁgure) said technology and WebSphere. Once the initial architecture has been laid out, the WebSphere administrator will be responsible to identify the type of security involved to secure the interactions between the various infrastructure architecture components. For instance, what type of communication will take place between the IHS and the Security Access component, if any. What is the best way to secure the communication channel? How is the IHS component authenticated to the Security Access component? WebSphere architecture view The next view to be presented is that of the WebSphere Application Server product architecture. In a nutshell, the WebSphere Application Server product is an implementation of the J2EE set of speciﬁcations with some added functionality only found in this IBM product. Therefore, as opposed to the previous section, this view is unique to WebSphere. Consequently, this section brieﬂy presents the salient components of the J2EE technologies and their relation to each other from the functional and architectural point of view. Furthermore, emphasis will be placed on aspects that affect or may be affected by security considerations. [ 11 ] For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book A Threefold View of WebSphere Application Server Security WebSphere Application Server simpliﬁed architecture The following diagram depicts a simpliﬁed version of the WebSphere Application Server architecture. It presents the application server in the context of a WebSphere node. The application server is the implementation of a JVM. The JVM is made up of various components and at the same time, the JVM interacts with several external components that make up the WebSphere node. So, the diagram presents two major components of a WebSphere environment. On the one hand, the JVM is represented by the parallelogram (purple ) labeled Application Server. On the other hand, a larger parallelogram (teal) labeled node represents the WebSphere node. Keep in mind that the simpliﬁcation to the architecture has been done to concentrate on how it relates to application hosting in a secure environment. The concept of local security domains is new in version 7.0. [ 12 ] For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book Chapter 1 WebSphere node component The node component of this simpliﬁed architecture occupies itself with administrative and thus security aspects between the WebSphere environment and the infrastructure. In the previous diagram, three components can be observed. The ﬁrst component is the node agent; represented by the small parallelogram labeled Node agent. Notice that the node agent in itself is implemented by a specialized JVM, containing the components required to efﬁciently perform administrative tasks, which will include security related tasks. The node agent will interact with WebSphere environment administrative components externals to the node (and not included in the diagram). The chief among those external WebSphere components is the Deployment Manager. One of the responsibilities of the node agent as it pertains to the node and thus, to the application server JVM, is to maintain updated and valid copies of the node conﬁguration repository. Such a repository may include information dealing with security domain information, either inherited from the WebSphere cell global security or customized for the node, represented by the parallelogram (black) labeled Local Security Domain. WebSphere JVM component The second major component of this simpliﬁed architecture is the implementation of a JVM. It is represented in the diagram by a large parallelogram (purple) labeled Application Server. A WebSphere JVM is made of, among other components, several containers such as the Web and EJB containers. Containers, on top of hosting instantiations of Java classes such as servlets and beans, that is, offering the runtime environment for those classes to execute, deal with security aspects of the execution. For instance, a Web Container may, given the appropriate settings, oversee that hosted resources only execute if the principal making the request has the required proof that entitles such principal of receiving the result of said request. In addition to containers, a WebSphere JVM may also instantiate a service integration bus (SIB) if a hosted application makes use of the JVM messaging engine. In the diagram, the arrow (brown) labeled SIB represents the bus. Finally, the other JVM components included in this simpliﬁed architecture are the administrative component and the JVM security mechanism. This mechanism will interact with the containers to ensure that security is propagated to the classes executing in the said containers. [ 13 ] For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book A Threefold View of WebSphere Application Server Security From this discussion, it can be extrapolated that each vendor has certain leniency as to the actual implementation of Sun's JVM. IBM is not an exception to this practice. If you wish to ﬁnd out more about the particulars of the IBM JVM implementation for WebSphere please refer to the Information Center article "Speciﬁcations and API" (http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index. jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/rovr_specs.html). In that article you will ﬁnd out which Java speciﬁcations and application programming interfaces are implemented as well as the version each implements. This information is presented in a neat table that helps you compare each speciﬁcation and API version to earlier editions of the WebSphere Application Server product (that is, 5.1, 6.0 and 6.1). Using the WebSphere architecture view The main beneﬁt of analyzing your WebSphere environment using this view is that it will provide you with the vocabulary to better understand the needs of application developers and architects and, equally important, to communicate back to them the special features the WebSphere environment may offer them as well as any possible restrictions imposed by security or other infrastructure characteristics. An additional beneﬁt provided by this view is that it offers alternatives to troubleshooting application related issues, as you will become more familiar with which JVM components are being used as the runtime environment for a given enterprise application. WebSphere technology stack view Finally, the third view covered in this chapter is that of the WebSphere environment technology stack. In other words, this view presents which technologies from the operating system to the WebSphere Application product are involved, highlighting the aspects related to security. This view is broken down into three categories, which are described in the following paragraphs. The stack and its categories are depicted in the diagram shown in the next sub-section. OS platform security At the bottom of the stack there are the primitive technologies. The term primitive in this context does not carry the meaning of backward, but rather that of foundation technologies. In the following diagram, the rectangular (bright green) area located at the bottom of the stack represents the OS platform layer. [ 14 ] For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book Chapter 1 In this layer, the presence of the underlying operating system can be observed. In the end, it is the responsibility of the OS to provide the low-level resources needed by the WebSphere environment. Furthermore, it is also its responsibility to enforce any security policies required on such resources. Two of the more prominent OS components as they relate to a WebSphere environment are the ﬁle system and the networking infrastructure. Both the ﬁle systems and the networking infrastructure are handlers of special resources. [ 15 ] For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book A Threefold View of WebSphere Application Server Security Java technology security The next layer in this architecture is that of the Java technology. This layer comprehends the core Java technologies and APIs used within the WebSphere environment. In the previous diagram, the layer is represented by the rectangle (teal) in the middle of the stack. The layer is further broken down into three distinct groups among the Java stack. At the bottom sit the foundational bricks. The Java Virtual Machine and the Java Language Speciﬁcation. The JVM is the enabler whereas the Language Speciﬁcation lays down basic and general rules that must obeyed by the entities that will populate the JVM. The middle brick of this layer is that of Java 2 Security. It includes more sophisticated rules that will enable entities in the JVM to achieve more complex behaviors in harmony with the rest of the inhabitants. Finally, at the top of this layer there is the J2EE Security brick. It brings additional enablers to the JVM and rules that must be followed by the entities that populate these remote areas of the Java galaxy. WebSphere security At the top of the technology stack, sits the WebSphere security layer. It builds up on the previous layers and brings on board open and proprietary security bricks to supplement the Java foundation. In other words, the WebSphere high-level security layer offers conduits using a number of technologies such as LTPA, Kerberos, and so on, that make the WebSphere environment more robust. This layer is represented in the previous diagram by the rectangle (maroon) located at the top. In general, the number of technologies supported by this layer as well as the implementation version of such technologies is one of the aspects that make up each new WebSphere release. [ 16 ] For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book Chapter 1 Using the technology stack view One of the main beneﬁts of the technology stack view is that it helps WebSphere practitioners involved in various roles to map the various technologies included in this stack to the functional blocks that make up the other two views. Some practitioners will beneﬁt by selecting the most appropriate subset among the classes offered by the WebSphere environment to implement a required functionality. Other practitioners will beneﬁt by integrating into the WebSphere environment the best infrastructure component that will help to enable a piece of functionality required by a hosted application. Summary This chapter presents an introduction to WebSphere security by taking the reader to a tour that helps him observe the environment from three different angles. Each of the views presented in a way supplements the other two. Aspects related to security are at the center of each of the views described. In this chapter and in the remaining part of the book experienced users will get acquainted with new security aspects offered by the IBM WebSphere Application Server Network Deployment version 7.0. In addition, and perhaps more importantly, the material covered in this chapter and the rest of the book is presented so no prior knowledge of WebSphere security (as in earlier versions of WebSphere) is required. This fact makes it easier for new WebSphere administrators to learn the security aspects of WebSphere version 7.0. Throughout the rest of the book, the terms WebSphere Application Server Network Deployment version 7 and WAS ND7 will be used interchangeably. Let's get started! [ 17 ] For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book Where to buy this book You can buy IBM WebSphere Application Server v7.0 Security from the Packt Publishing website: https://www.packtpub.com/ibm-websphere- application-server-v70-security/book. Free shipping to the US, UK, Europe and selected Asian countries. For more information, please read our shipping policy. Alternatively, you can buy the book from Amazon, BN.com, Computer Manuals and most internet book retailers. professional expertise distilled P U B L I S H I N G www.PacktPub.com For More Information: www.PacktPub.com/ibm-websphere-application-server-v70-security/book
Pages to are hidden for
"IBM WebSphere Application Server v7"Please download to view full document